tka,types/key: remove dependency for tailcfg & types/ packages on tka

Following the pattern elsewhere, we create a new tka-specific types package for the types that need to couple between the serialized structure types, and tka. Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-10-09 08:01:31 +00:00 · 2022-08-04 11:45:19 -07:00
parent a9f6cd41fd
commit f50043f6cb
18 changed files with 139 additions and 77 deletions
--- a/types/key/nl.go
+++ b/types/key/nl.go
@@ -9,8 +9,8 @@ import (
 	"crypto/subtle"

 	"go4.org/mem"
-	"tailscale.com/tka"
 	"tailscale.com/types/structs"
+	"tailscale.com/types/tkatype"
 )

 const (
@@ -68,23 +68,26 @@ func (k NLPrivate) Public() NLPublic {
 }

 // KeyID returns an identifier for this key.
-func (k NLPrivate) KeyID() tka.KeyID {
-	pub := k.Public()
-	return tka.Key{
-		Kind:   tka.Key25519,
-		Public: pub.k[:],
-	}.ID()
+func (k NLPrivate) KeyID() tkatype.KeyID {
+	// The correct way to compute this is:
+	// return tka.Key{
+	// 	Kind:   tka.Key25519,
+	// 	Public: pub.k[:],
+	// }.ID()
+	//
+	// However, under the hood the key id for a 25519
+	// key is just the public key, so we avoid the
+	// dependency on tka by just doing this ourselves.
+	pub := k.Public().k
+	return pub[:]
 }

 // SignAUM implements tka.UpdateSigner.
-func (k NLPrivate) SignAUM(a *tka.AUM) error {
-	sigHash := a.SigHash()
-
-	a.Signatures = append(a.Signatures, tka.Signature{
+func (k NLPrivate) SignAUM(sigHash tkatype.AUMSigHash) ([]tkatype.Signature, error) {
+	return []tkatype.Signature{{
 		KeyID:     k.KeyID(),
-		Signature: ed25519.Sign(k.k[:], sigHash[:]),
-	})
-	return nil
+		Signature: ed25519.Sign(ed25519.PrivateKey(k.k[:]), sigHash[:]),
+	}}, nil
 }

 // NLPublic is the public portion of a a NLPrivate.
--- a/types/key/nl_test.go
+++ b/types/key/nl_test.go
@@ -6,6 +6,7 @@ package key

 import (
 	"bytes"
+	"crypto/ed25519"
 	"testing"

 	"tailscale.com/tka"
@@ -55,7 +56,14 @@ func TestNLPrivate(t *testing.T) {
 	if got, want := len(aum.Signatures), 1; got != want {
 		t.Fatalf("len(signatures) = %d, want %d", got, want)
 	}
-	if err := aum.Signatures[0].Verify(aum.SigHash(), k); err != nil {
-		t.Errorf("signature did not verify: %v", err)
+	sigHash := aum.SigHash()
+	if ok := ed25519.Verify(pub.Verifier(), sigHash[:], aum.Signatures[0].Signature); !ok {
+		t.Error("signature did not verify")
+	}
+
+	// We manually compute the keyID, so make sure its consistent with
+	// tka.Key.ID().
+	if !bytes.Equal(k.ID(), p.KeyID()) {
+		t.Errorf("private.KeyID() & tka KeyID differ: %x != %x", k.ID(), p.KeyID())
 	}
 }